We use cookies to improve our website and your experience. Continued use will constitute consent.
This Data Processing Agreement (“DPA”) forms part of the agreement that references this DPA between the client named in such agreement (“Client”) and Quinlan Partners LLC (“Quinlan”) (collectively, the “Parties”) for the provision of services by Quinlan (identified either as “Services” or otherwise in the applicable agreement, and hereinafter defined as “Services”) (the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Client Personal Information.
In the course of providing the Services to Client, Quinlan may Process Client Personal Information on behalf of Client, and in such case, the Parties agree to comply with the following provisions with respect to Client Personal Information.
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity.
“Aggregate Data” means information that relates to a group or category of individuals, from which individual identities have been removed, and that is not linked or reasonably linkable to any individual or household.
“Client Personal Information” means any Personal Information provided by or on behalf of Client to Quinlan and Processed by Quinlan or Quinlan’s Subprocessor in connection with the Services.
“Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Information and the rights of Data Subjects, which may also be called a “Data Protection Assessment,” “Data Protection Impact Assessment,” or “Risk Assessment” by applicable Data Protection Laws.
“Data Protection Laws” means any and all applicable U.S. data protection, security, or privacy-related laws, statutes, directives, or regulations, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or replacement legislation, and any EU Member State laws and regulations promulgated or incorporated thereunder; (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (c) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (d) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (e) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (f) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (g) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; (h) the Texas Data Privacy and Security Act, 11 Tex. Bus. & Com. Code § 541.001 et seq.; (i) the Oregon Consumer Privacy Act, Or. Rev. Stat. § 646A.570 et seq.; (j) the Montana Consumer Data Privacy Act, Mont. Code Ann. § 30-14-2801 et seq.; (k) the Iowa Consumer Data Protection Act, Ia. Code Ch. 715D; (l) the New Hampshire Data Privacy Act, N.H. Rev. Stat. Ann. 507-H; (m) the Nebraska Data Privacy Act, Neb. Rev. Stat. § 87-1101 et seq.; (n) the Delaware Personal Data Privacy Act, Del. Code § 12D-101 et seq.; (o) the New Jersey Data Privacy Act, N.J. Rev. Stat. § 56:8-166.4 et seq.; (p) the Tennessee Information Protection Act, Tenn. Code Ann. § 47-18-3201 et seq.; (q) the Minnesota Consumer Data Privacy Act, Minn. Stat. § 325O.01 et seq.; (r) the Maryland Online Data Privacy Act of 2024, Md. Code Ann., Com. Law § 14-4601 et seq.; (s) the Kentucky Consumer Data Protection Act, Ky. Rev. Stat. § 367.3611 et seq.; (t) the Indiana Consumer Data Protection Act, Ind. Code § 24-15; (u) the Rhode Island Data Transparency and Privacy Protection Act, R.I. Gen. Laws § 6-48.1-1 et seq.; (v) the Washington “My Health My Data” Act, Wash. Rev. Code § 19.373.005 et seq., and Nev. Rev. Stat. § 603A, as amended by Nevada S.B. 370 (“Washington and Nevada Consumer Health Data Laws”); and (w) all other equivalent or similar laws and regulations in the United States relating to Personal Information and privacy, and as each may be amended, extended or re-enacted from time to time.
“Data Subject” means an identified or identifiable natural person whose Personal Information is being Processed. The term “Data Subject” shall refer to a “Consumer” as that term is defined under Data Protection Laws.
“Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person.
“Personal Information” means information that is protected by applicable Data Protection Laws or that otherwise identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household.
“Personnel” means officers, directors, employees, Subprocessors, agents and representatives.
“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, including, but not limited to: the California Privacy Protection Agency; and U.S. state attorneys general.
“Security Breach” means any security incident that adversely impacts the security of Client Personal Information.
“Subprocessor” means any third party appointed by Quinlan to Process Client Personal Information as a Quinlan or Processor on behalf of Client in connection with the Agreement.
The terms “Business,” “Business Purpose,” “Controller,” “Process,” “Processor,” “Sell,” “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Client Personal Information, Client is the Controller or Business (as applicable), Quinlan is the Processor or Service Provider (as applicable), and that Quinlan will engage Subprocessors pursuant to the requirements set forth in Section 5 below. The Parties acknowledge and agree that neither Party has reason to believe that the other Party is unable to comply with the provisions of this DPA or otherwise that such Party is in violation of any Data Protection Law. For clarity, Quinlan is not responsible for compliance with any Data Protection Laws applicable to Client or Client’s industry that are not otherwise generally applicable to Quinlan.
2.2 Quinlan’s Processing of Client Personal Information. Quinlan shall treat Client Personal Information as confidential and shall only Process Client Personal Information as necessary to perform its obligations on behalf of and in accordance with Client’s documented instructions for the following permitted purposes: (i) in accordance with the Agreement and applicable order or scope of work and applicable Data Protection Laws (including without limitation, the CCPA); and/or (ii) as applicable, if initiated by Data Subjects in their use of the Services. Quinlan shall not (A) Sell, Share, or otherwise make available Client Personal Information to any third party in exchange for monetary or other valuable consideration, and (B) retain, use or disclose Client Personal Information outside of the direct business relationship with the Client or for any other purpose than what is specified in the Agreement and/or this DPA. When acting as a Service Provider under the CCPA, Quinlan shall not combine Client Personal Information with Personal Information it receives from, or on behalf of, another person or persons, or that it processes as a Business, except as expressly permitted by Data Protection Laws. Quinlan shall promptly notify Client after it makes a determination that it can no longer meet its obligations under applicable Data Protection Laws. Nothing herein shall limit or restrict Quinlan’s right to use Aggregate Data and/or Deidentified Data or limit Quinlan’s right to use Client Personal Information in any manner that is not restricted by specific Data Protection Laws.
2.3 Client’s Processing of Personal Information. Client shall, in its use of the Services, Process Personal Information in accordance with the requirements of Data Protection Laws. Client’s instructions to Quinlan related to the Processing of Client Personal Information shall comply with Data Protection Laws. Client instructs Quinlan (and authorizes Quinlan to instruct each Subprocessor) to Process Client Personal Information, and in particular, transfer Client Personal Information to any jurisdiction, as necessary for the provision of the Services and consistent with the Agreement and this DPA. Client represents and warrants that it shall (i) not provide Quinlan with (or instruct Quinlan to Process) any Personal Information unless it shall first have given and received the necessary notices and consents (and honored any opt-out rights) under Data Protection Laws; (ii) not provide Quinlan with Personal Data of Data Subjects outside the United States; and (iii) comply with any other requirements under applicable Data Protection Laws.
2.4 Details of the Processing. The subject matter of Processing, the duration of the Processing, the nature and purpose of the Processing, the types of Client Personal Information, and categories of Data Subjects Processed under this DPA shall be set forth by the Parties from time to time in a project order, scope of work or other ordering document.
2.5 Processing of Sensitive Data Prohibited. Client shall not disclose, transfer, or otherwise make available to Quinlan any of the following categories of information unless Quinlan has first expressly agreed in writing to accept such information:
1.1.1 Any information that constitutes “sensitive personal information,” “sensitive data,” “sensitive data inferences,” or “special categories of personal data” as those terms are defined under Data Protection Laws;
1.1.2 Any information that constitutes “consumer health data” under the CTDPA or the Washington and Nevada Consumer Health Data Laws;
1.1.3 Any information that constitutes “protected health information” under the Health Insurance Portability and Accountability Act of 1996, 5 U.S.C. § 553 et seq., together with any amending legislation and any regulations promulgated thereunder; and
1.1.4 Any Personal Information that is deemed by Regulatory Authorities as meriting sensitive or other heightened treatment under applicable Data Protection Laws or U.S. state or federal consumer protection laws.
2.6 Other Personal Information. For the avoidance of doubt, Personal Information that Quinlan independently acquires while performing the Services for Client shall not be considered Client Personal Information.
3.1 The Parties shall reasonably cooperate in responding to Data Subject rights requests (“Data Subject Request”) and complying with requirements of Data Protection Laws in relation thereto.
3.2 If a Data Subject Request is made directly to Quinlan, Quinlan will promptly inform Client and will advise the Data Subject to submit the request to Client. Client will be solely responsible for responding substantively to any such Data Subject Requests or other communications involving Personal Information.
4.1 Confidentiality. Quinlan shall ensure that its Personnel engaged in the Processing of Client Personal Information are informed of the confidential nature of the Client Personal Information, and have received appropriate training regarding the Processing of Client Personal Information.
4.2 Reliability. Quinlan shall endeavor, in the exercise of its reasonable business discretion, to ensure the reliability of any Personnel engaged in the Processing of Client Personal Information.
4.3 Limitation of Access. Quinlan shall ensure that Quinlan’s access to Client Personal Information is limited to those Personnel performing the Services in accordance with the Agreement.
4.4 Data Protection Officer. To the extent required by applicable Data Protection Laws, each Party has appointed a data protection officer.
5.1 Appointment of Subprocessors. With respect to the Processing of Client Personal Information, Client authorizes Quinlan to appoint Subprocessors to Process Client Personal Information for a business purpose on behalf of Client, and consistent with the business purpose set forth herein, pursuant to a written contract that includes obligations that are at least as protective as those set out in this DPA and as required by Data Protection Laws.
5.2 Notification of Subprocessors and Client’s Right to Object. Quinlan shall provide a list of its Subprocessors to Client upon written request.With the exception of commonly engaged vendors over whom Quinlan exercises little control (such as Google, Amazon, or Facebook), if, within fifteen (15) business days of receipt of that writing, Client (acting reasonably and in good faith) notifies Quinlan in writing of any objections to the appointment, Quinlan shall cease disclosing any Client Personal Information to the proposed Subprocessor until reasonable steps have been taken to address the objections raised by Client and Client has been provided with notice thereof. Quinlan remains fully liable for any breach of this DPA that is caused by an act, error, or omission of its Subprocessor.
6.1 Controls for the Protection of Client Personal Information. Quinlan shall maintain appropriate physical, technical and organizational measures designed to protect the security, confidentiality, and integrity of Client Personal Information. In the event of any (i) unauthorized acquisition, alteration, or disclosure of Client Personal Information that requires notification to an individual, government or regulatory body, or law enforcement authority under Data Protection Laws, or (ii) breach of Data Protection Laws with respect to Client Personal Information, Quinlan shall notify Client promptly.
6.2 Data Security Incident Management and Notification. Quinlan shall maintain security incident management policies and procedures, and if at any time Quinlan determines that there has been a Security Breach, Quinlan shall promptly: (i) notify Client in writing of such Security Breach; (ii) investigate and take steps to remediate the Security Breach, and (iii) provide information regarding the specific Client Personal Information adversely impacted by the Security Breach as reasonably requested by Client.
7.1 Audits and Assessments.
7.1.1 If required of Quinlan under applicable Data Protection Laws, Quinlan shall reasonably cooperate with Client at Client’s expense, in relation to any audit of Quinlan reasonably necessary to enable Client to comply with its obligations under Data Protection Laws (“Audit”), and shall seek the equivalent cooperation from relevant Subprocessors. Any Audit shall be: (i) subject to a mutually agreed upon scope; (ii) conducted by an independent third party who has signed a nondisclosure agreement with Quinlan or the Subprocessor, as the case may be; and (iii) subject to the confidentiality obligations set forth in the Agreement. Client shall use reasonable endeavours to minimize any disruption caused to the Quinlan’s (or, Subprocessor’s, as the case may be) business activities as a result of an Audit. Audits shall take place no more than once in any calendar year except as otherwise required of Quinlan under applicable Data Protection Laws. In addition, if required of Quinlan under applicable Data Protection Laws, Quinlan shall allow Client to take reasonable and appropriate steps to (a) ensure that Quinlan’s Use of Client Personal Information is consistent with Client’s obligations under applicable Data Protection Laws, and (b) stop and remediate unauthorized use of Client Personal Information.
7.1.2 For the avoidance of doubt, any information obtained by Client pursuant to an Audit shall be maintained in confidence by Client and may not be disclosed to any third party, including, without limitation, any other agents or representatives of Client, except to the extent necessary to assert or enforce any of Client’s rights under this DPA or if otherwise required to be disclosed by Data Protection Laws, by any Regulatory Authority, or by a court or other authority of competent jurisdiction. If any such disclosure is so required, Client agrees to give Quinlan as much advance notice of the disclosure as possible (where notice of disclosure is not prohibited) and Client shall meaningfully consult with Quinlan (unless legally prohibited from doing so) in relation to the content and scope of the disclosure.
7.2 Data Protection Assessments. Upon Client’s request and to the extent required of Quinlan under applicable Data Protection Laws, Quinlan shall provide Client, at Client’s reasonable expense with the reasonably necessary information needed for Client to carry out a Data Protection Assessment related to Client’s use of the Services, to the extent that Client does not otherwise have access to the relevant information and that such information is reasonably available to Quinlan. To the extent required under the GDPR or UK GDPR, Quinlan shall provide reasonable assistance to Client in its cooperation or prior consultation with a Regulatory Authority in the performance of its tasks relating to this Section 8.
Quinlan shall, on the written request of Client, return all Client Personal Information to Client and/or at Client’s request delete the same from its systems, except as otherwise permitted by applicable Data Protection Laws.
1.1 Transfers of EEA, Swiss, or UK Personal Information. If the Processing of Client Personal Information includes transfers from the EEA, Switzerland, or the United Kingdom to countries which are deemed to provide inadequate levels of data protection (“Other Countries”), if required by Data Protection Laws, the Parties: (i) hereby incorporate by reference the model clauses adopted by the relevant data protection authorities of the European Commission or the UK Secretary of State as set forth in this Section 9 (if applicable); or (ii) shall comply with any of the other mechanisms provided for under Data Protection Laws for transferring Client Personal Information to such Other Countries. Additional information required by the Standard Contractual Clauses is set forth in Annexes I and II attached hereto.
1.2 EU SCCs Modules. The Parties agree that for transfers of Client Personal Information from the European Economic Area (“EEA”), the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”), as annexed to Commission Implementing Decision 2021/914, are hereby incorporated by reference into this DPA as follows:
1.2.1 Where Quinlan Processes Personal Information as a Processor for Client pursuant to the terms of the Agreement, Quinlan and its relevant Subprocessor Affiliates are located in non-adequacy approved third countries, and Client and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Information of EEA Data Subjects (either directly or via onward transfer); Module 2: Transfer controller to processor, Clauses 1 to 18 apply.
1.2.2 Where Client Processes Personal Information as a Processor under the instructions of a third-party Controller, Quinlan Processes Personal Information as a Subprocessor for Client pursuant to the terms of the Agreement, Quinlan and its relevant Subprocessor Affiliates are located in non-adequacy approved third countries, and Client and its relevant Affiliates are established in the EEA or are otherwise transferring the Personal Information of EEA Data Subjects (either directly or via onward transfer); Module 3: Transfer processor to processor, Clauses 1 to 18 apply.
1.3 EU SCCs Optional Provisions. In addition to Section 9.2, where the EU SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
1.3.1 In Clause 7 (Docking Clause) (Modules 1, 2, 3, or 4) – the Optional provision shall NOT apply;
1.3.2 In Clause 9(a) (Use of sub-processors) (Module 2 or 3) – Option 1 shall apply (and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors);
1.3.3 In Clause 11(a) (Redress) (Module 1, 2, 3, or 4) – the Optional provision shall NOT apply;
1.3.4 In Clause 17 (Governing Law) (Module 1, 2, 3, or 4) – Option 1 shall apply, and the courts of Ireland shall govern; and
1.3.5 In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2, 3, or 4) – the courts of Ireland shall have jurisdiction.
1.4 UK Model Clauses. The Parties agree that for transfers of Client Personal Information from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK ICO under S119A(1) Data Protection Act 2018 and in force March 21, 2022 (the “UK Addendum”), shall apply. The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed Annex I. The selection of modules and optional clauses shall be as described in Sections 9.2 and 9.3 above, subject to any revisions or amendments required by the UK Addendum. All other information required by Tables 1-3 is set forth in Annexes I and II. For the purposes of Table 4, the Parties agree that the Exporter may end the UK Addendum as set out in Section 19.
1.5 Swiss Data Transfers. The Parties agree that for transfers of Client Personal Information from Switzerland, the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.
The Parties to this DPA hereby submit to the choice of law and jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA.
THE “LIMITATION OF LIABILITY” SECTION OF THE AGREEMENT (OR THE EQUIVALENT THEREOF) SHALL APPLY TO ALL CLAIMS, DEMANDS, SUITS, CAUSES OF ACTION, AWARDS, JUDGMENTS AND LIABILITIES, INCLUDING REASONABLE ATTORNEYS' FEES AND COSTS, ARISING OUT OF OR ALLEGED TO HAVE ARISEN OUT OF QUINLAN’S BREACH OF ITS OBLIGATIONS UNDER THIS DPA.
In the event of any change to or new Data Protection Law(s), the Parties shall mutually agree upon any reasonably necessary amendments or revisions to this DPA.
Categories of Data Subjects whose Personal Information is transferred:
Subjects relevant to Quinlan’s Services
Categories of Personal Information transferred include, but are not limited to:
Any data which may be provided or made available to Quinlan in connection with the Services
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Any data which may be provided or made available to Quinlan in connection with the Services
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
One-off transfers
Nature of the Processing:
In connection with the Services as specified in agreements between the parties
Purpose(s) of the data transfer and further Processing:
To perform the Services as specified in agreements between the parties
The period for which the Personal Information will be retained, or, if that is not possible, the criteria used to determine that period:
Retention periods are set according to minimum retention periods required by law, or longer
For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing:
Transfers to (sub-)processors are conducted in accordance with the above
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Available to Clients upon request